Barney's Blog

Doug's Mailbag: Public Disclosure of Flaws

Are security firms doing us a favor by letting us know about vulnerabilities? Or does the practice only give uninformed hackers another tool to attack us? Here's what some readers have to say:

I completely agree with you here. Rapid7 is acting in the best interests of the hackers by publicizing this before a fix is in place. Working in IT for the last 20 years has taught me that no matter how tight your security is, there is always a hole. I used to ask pupils at a school I worked at to actively try and hack the network (Novell Netware and Windows 95) in return for letting me know where the holes were. This earned such enterprising individuals extra credit and a nice, warm, fuzzy feeling inside. Not to mention my gratitude. If they had let all the other kids know before giving me chance to plug any gaping holes, there would have been chaos.

Rapid7 is an idiot, in my opinion
.-Roy

Well Barney, I must agree with you. TOTALLY irresponsible to broadcast specifics of a flaw to everyone on the face of the planet. It just enables the hackers that didn't already know about it to go about exploiting the vulnerability before the fix is available.

It would be like the news media reporting on how many U.S. troops are being deployed to which country and how many U.S. ships are being deployed to which body of water and...oh wait, that's being done too.

In a day and age when the media cares more about a 'hot' story than they do about national security why should we expect them to sit on IE flaws?

Geesh, what a wonderful world we live in, eh?-Jim

The reasons are quite simple why these are publically disclosed.

One, it gets your firms name out there. Two, it puts pressure on software designers to hurry and create a patch. And three, as a security firm it generates more income as new clients will want testing done to see if they are affected.

Who would pay top dollar for testing on an issue that already has a patch successfully deployed? Also who better to test for a flaw than the ones who reported it in the first place?

It's morally bad. But from a business mentality, what's bad for you is always good for the corporations. If you want a business to survive in times like these you MUST be ruthless and throw morals to the side. Your competition will not give you any slack. So why should you give them any?

All in all I don't blame them for doing it. I just don't agree with the ethics behind it.-Jonathan

Share your thoughts with the editors of this newsletter! Write to dbarney@redmondmag.com. Letters printed in this newsletter may be edited for length and clarity, and will be credited by first name only (we do NOT print last names or e-mail addresses).